Tech Risk Reading Picks

1. Cloud risk: A cloud security study was commissioned by Illumio, a Zero Trust Segmentation company, and performed by independent firm Vanson Bourne who surveyed 1,600 IT decision-makers, revealing that nearly half of data breaches originate in the cloud. The study noted that cloud breaches cost organizations around $4.1 million on average. Zero trust is seen as critical for cloud resilience, with 97% believing it can significantly enhance cloud security. Concerns include the complexity of cloud environments, with 98% storing sensitive data in the cloud and 91% worried about unauthorized connectivity. Other risks include overlapping workloads, lack of understanding of responsibilities, social engineering, and visibility issues. [more-report]

2. Very vulnerable industrial router: In the upcoming Black Hat Europe held in Dec, researchers will unveil 21 vulnerabilities in a widely-used industrial router, with one rated as "Critical" and nine as "High" severity. These routers are prevalent in critical sectors like medical and manufacturing. Operational technology (OT)/Internet of Things (IoT) routers connect the internet to internal networks, primarily in transportation, government, and water treatment. Exploiting these vulnerabilities could lead to network compromise, malware deployment, espionage, service disruption, and more. [more]

   1. Seven vulnerabilities are in internal components, while 14 stem from open source components like a Wi-Fi captive portal and an XML processing library. The flaws include cross-site scripting, denial of service, remote code execution, unauthorized access, and authentication bypass. Attackers gaining access can bypass traditional industrial security and target critical devices directly.

   2. Regular scans revealed over 86,000 exposed OT/IoT devices, 22,000 using default SSL certificates. Less than 10% are protected from known vulnerabilities, and 80% of those with management interfaces are at end-of-life, making patching impossible.

3. IoT risk emerging: The Internet of Things (IoT) is becoming increasingly pervasive, with the global number of connected devices projected to exceed 29 billion by 2027. While IoT offers advantages like enhanced efficiency, data-driven insights, and cost reduction, it also introduces security challenges that businesses must address. The integration of IoT into operational technology (OT) environments poses additional risks. [more]

   Key IoT vulnerabilities include:

   1. Limited built-in security features: Many IoT devices lack sufficient security measures, making them susceptible to sophisticated attacks that can compromise enterprise networks.

   2. Weak authentication and authorization: Inadequate authentication practices, weak passwords, and insufficient access controls create vulnerabilities, allowing malicious actors to infiltrate networks and devices.

   3. Lack of visibility into devices and connections: In a highly connected environment, gaps in visibility into connected devices create security weaknesses, potentially enabling threats to go undetected.

   4. Excessive implicit trust: Trusting IoT devices without proper scrutiny, especially shadow IoT devices, introduces additional entry points for potential threats, putting critical systems and data at risk.

   5. Not keeping up with patching: Failure to regularly update and patch IoT devices leaves them susceptible to known vulnerabilities, making them attractive targets for cybercriminals.

   6. Ignoring encrypted traffic: While encryption is a security measure, failure to inspect encrypted traffic can allow cybercriminals to hide threats and evade detection, compromising the overall security of the IoT network.

Web3 Cryptospace Spotlight

1. $100M stolen: 10 Nov - Poloniex, a digital asset exchange, experienced a suspected breach resulting in over $100 million worth of digital tokens drained from its wallet. Blockchain security company CertiK suggested that it was due to "private key compromise" and the funds were already moved to external accounts. Justin Sun, who acquired the exchange in 2019, posted on X offered a 5% white-hat bounty to the Poloniex hacker. [more]

2. Hacked despite multiple security audit: Raft, a decentralized U.S. dollar stablecoin protocol (R token), experienced a security exploit resulting in a $6.7 million loss despite multiple security audits. The exploit was attributed to a precision calculation issue during token minting that was not detected in audits by Trail of Bits and Hats Finance. On Nov 13, a hacker borrowed 6,000 Coinbase-wrapped staked Ether (cbETH) on Aave, transferred it to Raft, and exploited a smart contract glitch to mint 6.7 million R tokens. The attacker then swapped the unauthorized funds through decentralized exchanges, Balancer and Uniswap, earning $3.6 million. The R stablecoin depegged after the attack. [more][more-pos_incident_report]

3. White hats are not properly incentivised: Chainlight, a blockchain security firm, discovered a potential vulnerability that posed a threat to the $32 million in customer funds held by DEX Perpetual Protocol. The security firm was then awarded with $10,000 bounty for identifying and reporting the vulnerability. This situation underscores the challenges white-hat hackers face within the industry, as they are not properly incentivised to help crypto platforms expose vulnerabilities within their codes. [more]

4. $2.1 billion crypto wallets risk: Cybersecurity firm, Unciphered, discovered a potential issue in Bitcoin wallets generated by BitcoinJS and related projects, impacting millions of wallets and around $2.1 billion in crypto assets. The problem may also affect various blockchains and projects. Users of wallets created between 2011 and 2015 have been advised to transfer their assets to newer wallets. The company issued an alert to millions, urging those with self-custody wallets generated before 2016 to consider the transfer. While not all affected wallets are equally impacted, the vulnerability is deemed exploitable, although the company refrained from disclosing details to prevent misuse by malicious actors. [more][more-report]

5. Ethereum Drainer: In the last six months, hackers exploited a vulnerability in Ethereum's code, stealing over $60 million from almost 100,000 victims. They abused the Create2 function that was usually used by decentralized apps like Uniswap to predict smart contract addresses. By manipulating Create2, hackers were able to generate disposable wallet addresses to receive stolen funds without triggering security alerts. [more][more-2]

6. Still Web2 risk: A study by Immunefi, a blockchain security platform, revealed that almost half of the cryptocurrency lost in Web3 exploits in 2022 was a result of Web2 security issues - particularly leaked private keys. Surprisingly, 46.48% of the crypto losses were attributed to "infrastructure weaknesses" or problems with the development firm's computer systems, rather than flaws in smart contracts. This highlights the significance of addressing security issues beyond the decentralized smart contract layer in the crypto space. [more][more-report]